[Samba] user password hash
Rowland penny
rpenny at samba.org
Wed Oct 9 07:11:06 UTC 2019
On 09/10/2019 03:19, Nico Kadel-Garcia wrote:
> On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 08/10/2019 12:53, Jonathon Reinhart wrote:
>>>
>>> On Tue, Oct 8, 2019, 07:45 Rowland penny via samba
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>
>>> On 08/10/2019 12:27, Elias Pereira via samba wrote:
>>> > hello list,
>>> >
>>> > What kind of hashing/encryption samba4 ADDC uses for user
>>> passwords? base64?
>>>
>>>
>>> Base64 is neither a hash nor an encryption algorithm; it is an encoding.
>> That is why I said 'basically' ;-)
>>> >
>>> > Thanks!
>>> >
>>> Basically yes, but it is a bit more involved, to create an AD users
>>> passwords in bash, you would have to do something like this:
>>>
>>> UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE |
>>> base64 -w 0)
>>>
>>>
>>> Where is this scheme applied?
>> On my Hard drive ;-)
>>> Are you saying Samba stores plaintext passwords in the database?
>> No, that bit of bash turns a plain password into what you would store in
>> the users 'unicodePwd' attribute.
>>
>> For instance, if $PASSWORD == password , you would get
>> 'IgBwAGEAcwBzAHcAbwByAGQAIgA='
>>
>> Rowland
> I appreciate that this is how to pass the plaintext password for
> setting it, for storage by the Kerberos back end. If Samba is using
> Kerberos in normal fashion, *nothing* ever sees the plain text
> password again. A decent explanation lives at
> https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and
> there are many others.
Sorry but you are wrong ;-)
You can sync passwords with 'samba-tool user syncpasswords'
You could run something like this on a Samba AD DC:
ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
'(&(objectclass=user)(samaccountname=rowland))' unicodePwd
This will get you a users password, you just need to run it through the
reverse of what I posted earlier to see the actual users password.
The OP asked what the password 'hash' was, I took this to mean 'how do I
see a password', I suppose the question has to be 'why does he want to
see the password'
Rowland
More information about the samba
mailing list